US20110191853A1 - Security techniques for use in malicious advertisement management - Google Patents

Security techniques for use in malicious advertisement management Download PDF

Info

Publication number
US20110191853A1
US20110191853A1 US12/699,402 US69940210A US2011191853A1 US 20110191853 A1 US20110191853 A1 US 20110191853A1 US 69940210 A US69940210 A US 69940210A US 2011191853 A1 US2011191853 A1 US 2011191853A1
Authority
US
United States
Prior art keywords
advertisement
modification
computers
potential
security threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/699,402
Inventor
Faizal Atcha
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yahoo Inc
Original Assignee
Yahoo Inc until 2017
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yahoo Inc until 2017 filed Critical Yahoo Inc until 2017
Priority to US12/699,402 priority Critical patent/US20110191853A1/en
Assigned to YAHOO! INC. reassignment YAHOO! INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ATCHA, FAIZAL
Publication of US20110191853A1 publication Critical patent/US20110191853A1/en
Assigned to YAHOO HOLDINGS, INC. reassignment YAHOO HOLDINGS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: YAHOO! INC.
Assigned to OATH INC. reassignment OATH INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: YAHOO HOLDINGS, INC.
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • G06Q30/0277Online advertisement

Definitions

  • malicious advertisements have cropped up that behave normally for a period of time, but are set to, or can be triggered to, change their behavior at a later time. Such advertisements may pass editorial in their initial form, but may essentially morph into something different and dangerous, or may change their behavior and behave maliciously, at a later time, which may be during active serving.
  • the present invention provides methods and systems for use in malicious advertisement management, including techniques for ensuring that advertisements are not malicious.
  • an advertisement is tested to determine a set of information identifying a set of behavioral characteristics associated with the advertisement. After the advertisement is determined not to present a potential or actual security threat based at least in part on the set of information, whether or not after removal of any such threat, a first modification is performed to code associated with the advertisement.
  • the first modification may introduce a security coding. Any further modification, which may breach the security coding, may indicate that the advertisement is more likely to present a security threat than if the further modification had not occurred.
  • the advertisement is assessed to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification. If it is determined that such further modification has occurred, then at least one action is taken reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
  • FIG. 1 is a distributed computer system according to one embodiment of the invention.
  • FIG. 2 is a flow diagram illustrating a method according to one embodiment of the invention.
  • FIG. 3 is a flow diagram illustrating a method according to one embodiment of the invention.
  • FIG. 4 is a block diagram illustrating one embodiment of the invention.
  • FIG. 5 is a flow diagram illustrating a method according to one embodiment of the invention.
  • Some embodiments of the invention provide methods and systems for use in malicious advertisement management, including ensuring that advertisements, such as advertisements serving in connection with an online advertising exchange, do not present a security threat, for example, when served to users.
  • Some embodiments of the invention can be used with, or combined with aspects of, previously incorporated by reference application Ser. No. 12/535,514, filed on Aug. 4, 2009, entitled, “MALICIOUS ADVERTISEMENT MANAGEMENT”.
  • some techniques described in application Ser. No. 12/535,514 include comparing behavioral characteristics of advertisements at a non-active time and at an active time or times, to determine whether there has been a change that may indicate that the advertisement may be malicious.
  • Some embodiments of the present invention utilize techniques that are in some ways similar. However, potentially among other things, instead of comparing behavioral characteristics of an advertisement at different times to detect a change, some embodiments of the present invention utilize techniques that include use of a security coding.
  • a security coding is added to coding associated with the advertisement.
  • a security coding can indicate anything or any message with respect to maliciousness or non-maliciousness, threat or non-threat, level of threat, level or degree of maliciousness, a stage in maliciousness or threat assessment, a point in review for maliciousness or threat assessment, a condition with respect to maliciousness or threat, etc.
  • the advertisement may be sampled and checked to determine if the security coding has been breached, such as, for example, by being altered in any way.
  • Breach of the security coding may indicate that code associated with the advertisement has been altered, which may suggest an increased risk that the advertisement's behavioral characteristics have changed and present a threat.
  • action may be taken consistent with an increased security risk being presented by the advertisement.
  • behavioral characteristics associated with the advertisement may be determined to ensure that the advertisement has not become insecure or a threat.
  • checking of the security code provides an indication of whether the advertisement has been altered, or whether its behavioral characteristics have been altered and potentially made dangerous, without actually checking the behavioral characteristics associated with the advertisement, at least initially.
  • Some embodiments of the invention include action taken during or at the conclusion of an editorial process. For example, once an advertisement has passed an editorial process, including having been found to be non-threatening, a security coding may be introduced or added to code associated with the advertisement. Later, the advertisement can be assessed to determine whether the security coding has been breached, which may suggest that the advertisement may be more likely to have been altered from its safe form and may present a security threat.
  • an advertisement may be removed or neutralized to ensure that the advertisement does not present a security risk, prior to insertion of a security code.
  • some advertisements may be coded to cause them to, in addition to presenting a creative or graphical advertisement, access and potentially cause to be downloaded onto a user computer, perhaps transparently to a user, onto the user's computer, an insecure or malicious resource. This could include introduction of a virus, worm, Trojan horse, malware, etc.
  • Such an insecure resource may include any resource outside the control or access of an entity associated with facilitating the advertising process or serving of the advertisement, or an entity associated with operation or facilitation of an associated advertising exchange.
  • an advertisement is checked to ensure, for instance, that it will not cause access to, or downloading of, such a potentially dangerous resource.
  • the advertisement may be checked to ensure that it will not read, execute, delete, modify, add anything, etc. to a user computer, or do so in an appropriate way. This can involve checking code of or otherwise associated with the advertisement.
  • the security coding can take many different forms.
  • the security coding can act as an authentication coding or form of digital watermark, signature, certification, or other form of security, authenticity or non-alteration check.
  • the security coding can alternatively or additionally provide a message, perhaps after being decoded.
  • the message can be something simple, such as an indication of when the advertisement passed a security check, or particulars in that regard, or could be something more complex.
  • the security coding can take a which is difficult or impossible to detect, or may be invisible, from a third party or user perspective.
  • a bit or set of bits associated with one or more pixels of a graphical element of an advertisement may be modified. This may fuzz, or barely visibly or invisibly alter the code associated with, or the appearance of, the associated graphic. Even if not visibly detectable, however, the alteration may be detectable upon checking the code associated with the advertisement.
  • a series or set of such alterations may be used as a form of checksum. Such alterations may be detectable upon assessment of the advertisement or associated code, and may indicate that the advertisement has been altered and may present an increased security threat.
  • FIG. 1 is a distributed computer system 100 according to one embodiment of the invention.
  • the system 100 includes user computers 104 , advertiser computers 106 and server computers 108 , all coupled or coupleable to the Internet 102 .
  • the Internet 102 is depicted, the invention contemplates other embodiments in which the Internet is not included, as well as embodiments in which other networks are included in addition to the Internet, including one more wireless networks, WANs, LANs, telephone, cell phone, or other data networks, etc.
  • the invention further contemplates embodiments in which user computers or other computers may be or include wireless, portable, or handheld devices such as cell phones, PDAs, etc.
  • Each of the one or more computers 104 , 106 , 108 may be distributed, and can include various hardware, software, applications, algorithms, programs and tools. Depicted computers may also include a hard drive, monitor, keyboard, pointing or selecting device, etc. The computers may operate using an operating system such as Windows by Microsoft, etc. Each computer may include a central processing unit (CPU), data storage device, and various amounts of memory including RAM and ROM. Depicted computers may also include various programming, applications, algorithms and software to enable searching, search results, and advertising, such as graphical or banner advertising as well as keyword searching and advertising in a sponsored search context. Many types of advertisements are contemplated, including textual advertisements, rich advertisements, video advertisements, etc.
  • each of the server computers 108 includes one or more CPUs 110 and a data storage device 112 .
  • the data storage device 112 includes a database 116 and an Advertisement Security Program 114 .
  • the Program 114 is intended to broadly include all programming, applications, algorithms, software and other tools necessary to implement or facilitate methods and systems according to embodiments of the invention.
  • the elements of the Program 114 may exist on a single server computer or be distributed among multiple computers or devices.
  • FIG. 2 is a flow diagram illustrating a method 200 according to one embodiment of the invention.
  • an advertisement is tested at a non-active time to obtain a first set of information identifying a set of behavioral characteristics associated with the advertisement, a non-active time being a time at which the advertisement is not available for serving to users.
  • the first set of information is stored.
  • step 206 using one or more computers, based at least in part on the first set of information, it is determined that the advertisement does not appear to present a potential or actual security threat.
  • a first modification of code associated with the advertisement is performed.
  • the advertisement is assessed to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification, an active time being a time at which the advertisement is available for serving to users.
  • step 212 using one or more computers, if it is determined that the further modification has occurred, then at least one action is conducted reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
  • FIG. 3 is a flow diagram illustrating a method 300 according to one embodiment of the invention.
  • step 302 using one or more computers, it is determined that an advertisement appears to present a potential or actual security threat.
  • the apparent potential or actual security threat is neutralized, such as by modifying code associated with the advertisement.
  • Step 306 to 316 are similar to steps 202 to 212 as depicted in FIG. 2 , respectively.
  • the embodiment depicted in FIG. 3 can, for example, reflect a situation in which an advertisement is found, perhaps during an offline security check or editorial process, to present a potential or actual security threat.
  • the threatening aspect or aspects of the advertisement may be neutralized prior to a determination that the advertisement does not present a potential or actual security threat, as in step 310 .
  • steps 306 may be different or omitted.
  • FIG. 4 is a block diagram 400 illustrating one embodiment of the invention.
  • an advertiser 402 or a proxy of an advertiser, submits an advertisement 404 , which makes its way into an editorial process, as depicted by the advertisement 406 , before going active or live (being made available for serving to users).
  • the advertisement does not present a potential or actual security threat, and information reflecting this determination may be stored in a database 415 .
  • the threat is neutralize before it is determined that the advertisement does not present a threat.
  • code associated with the advertisement may be modified to remove its ability to do this.
  • security coding is introduced into code associated with the advertisement. Later, if the security coding is breached, which may include any alteration of the code associated with the advertisement, this can indicate that the advertisement has been modified following insertion of the coding, which may indicate that the advertisement is more likely to be malicious or present a threat than if the security coding had not been breached.
  • the advertisement may be sampled and assessed.
  • the advertisement 416 is sampled from an online advertising exchange 414 .
  • the advertisement 416 is assessed, also at block 412 , and its security coding is checked.
  • the advertisement is managed based on presenting a higher security risk or risk of being malicious, whereas, if the security coding is determined not to have been breached, then at step 420 , the advertisement is managed based on presenting a lower security risk or risk of being malicious. For example, management based on higher risk can include causing the ad to be taken offline or quarantined, or checking its behavioral characteristics to determine whether it presents a security threat in its current form.
  • an advertisement may be allowed to enter, re-enter, or continue to remain on the exchange 414 in active mode, and periodic or otherwise repeated assessment or checks may continue to be made.
  • FIG. 5 is a flow diagram of a method 500 according to one embodiment of the invention.
  • a set of behavioral characteristics of an advertisement are determined.
  • step 504 it is queried whether the advertisement appears to present a potential or actual security threat.
  • step 506 the advertisement is modified so as to remove or neutralize the threat, and then the method 500 returns to step 504 .
  • step 508 security coding is introduced into advertisement coding.
  • Broken line 509 represents the advertisement going live.
  • step 510 at a time during which the advertisement is live, it is determined whether the security coding has been breached. This can include sampling and assessing the advertisement and its code.
  • the advertisement is managed based on presenting a higher risk.
  • the advertisement is managed based on presenting a lower risk.

Abstract

The present invention provides methods and systems for use in malicious advertisement management. Methods and systems are provided in which, after an advertisement is determined not to present a security threat, whether initially or after removal any such threat, then a first modification is performed to code associated with the advertisement which may introduce a security coding. Further modification, which may breach the security coding, may indicate that the advertisement is more likely to present a security threat than if the further modification had not occurred.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application is related to application Ser. No. 12/535,514, filed on Aug. 4, 2009, entitled, “MALICIOUS ADVERTISEMENT MANAGEMENT”, which is hereby incorporated herein by reference in its entirety.
    • BACKGROUND
  • Malicious online advertisements continue to present problems, including problems for advertising networks, such as Web portals including search engines and search engine providers, as well as for users who receive the advertisements. In a process often known as editorial, advertising networks, or other responsible or involved entities, often perform checks to try to ensure that advertisements are safe. These checks may include automated or human checks, or a combination thereof. The checks are often performed prior to the advertisements going “live”, or being available for serving to users. Designers of malicious advertisements, however, are motivated and skilled at creating malicious advertisements that are difficult to detect.
  • Additionally, factors such as sophisticated, constantly evolving, and rapidly changing technologies provide ongoing new opportunities for creative designers of malicious advertisements. This can make it very difficult to keep ahead of and detect malicious advertisements. As just one of many examples, malicious advertisements have cropped up that behave normally for a period of time, but are set to, or can be triggered to, change their behavior at a later time. Such advertisements may pass editorial in their initial form, but may essentially morph into something different and dangerous, or may change their behavior and behave maliciously, at a later time, which may be during active serving.
  • There is a need for security techniques for use in malicious advertisement management.
    • SUMMARY
  • The present invention provides methods and systems for use in malicious advertisement management, including techniques for ensuring that advertisements are not malicious. In some embodiments, at an inactive time, an advertisement is tested to determine a set of information identifying a set of behavioral characteristics associated with the advertisement. After the advertisement is determined not to present a potential or actual security threat based at least in part on the set of information, whether or not after removal of any such threat, a first modification is performed to code associated with the advertisement. The first modification may introduce a security coding. Any further modification, which may breach the security coding, may indicate that the advertisement is more likely to present a security threat than if the further modification had not occurred. At an active time, the advertisement is assessed to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification. If it is determined that such further modification has occurred, then at least one action is taken reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a distributed computer system according to one embodiment of the invention;
  • FIG. 2 is a flow diagram illustrating a method according to one embodiment of the invention;
  • FIG. 3 is a flow diagram illustrating a method according to one embodiment of the invention;
  • FIG. 4 is a block diagram illustrating one embodiment of the invention; and
  • FIG. 5 is a flow diagram illustrating a method according to one embodiment of the invention.
    •
  • While the invention is described with reference to the above drawings, the drawings are intended to be illustrative, and the invention contemplates other embodiments within the spirit of the invention.
    • DETAILED DESCRIPTION
  • Some embodiments of the invention provide methods and systems for use in malicious advertisement management, including ensuring that advertisements, such as advertisements serving in connection with an online advertising exchange, do not present a security threat, for example, when served to users.
  • Some embodiments of the invention can be used with, or combined with aspects of, previously incorporated by reference application Ser. No. 12/535,514, filed on Aug. 4, 2009, entitled, “MALICIOUS ADVERTISEMENT MANAGEMENT”. For example, some techniques described in application Ser. No. 12/535,514 include comparing behavioral characteristics of advertisements at a non-active time and at an active time or times, to determine whether there has been a change that may indicate that the advertisement may be malicious. Some embodiments of the present invention utilize techniques that are in some ways similar. However, potentially among other things, instead of comparing behavioral characteristics of an advertisement at different times to detect a change, some embodiments of the present invention utilize techniques that include use of a security coding.
  • For example, in some embodiments, either before or after an advertisement is determined not to be malicious or present a threat, a security coding is added to coding associated with the advertisement. In some embodiments, a security coding can indicate anything or any message with respect to maliciousness or non-maliciousness, threat or non-threat, level of threat, level or degree of maliciousness, a stage in maliciousness or threat assessment, a point in review for maliciousness or threat assessment, a condition with respect to maliciousness or threat, etc. Later, the advertisement may be sampled and checked to determine if the security coding has been breached, such as, for example, by being altered in any way. Breach of the security coding may indicate that code associated with the advertisement has been altered, which may suggest an increased risk that the advertisement's behavioral characteristics have changed and present a threat. As such, in some embodiments, if the security coding is breached, action may be taken consistent with an increased security risk being presented by the advertisement. For instance, if the security code is breached, behavioral characteristics associated with the advertisement may be determined to ensure that the advertisement has not become insecure or a threat. In some embodiments, checking of the security code provides an indication of whether the advertisement has been altered, or whether its behavioral characteristics have been altered and potentially made dangerous, without actually checking the behavioral characteristics associated with the advertisement, at least initially.
  • Some embodiments of the invention include action taken during or at the conclusion of an editorial process. For example, once an advertisement has passed an editorial process, including having been found to be non-threatening, a security coding may be introduced or added to code associated with the advertisement. Later, the advertisement can be assessed to determine whether the security coding has been breached, which may suggest that the advertisement may be more likely to have been altered from its safe form and may present a security threat.
  • In some embodiments, if an advertisement is determined to have threatening characteristics, such characteristics may be removed or neutralized to ensure that the advertisement does not present a security risk, prior to insertion of a security code. For instance, some advertisements may be coded to cause them to, in addition to presenting a creative or graphical advertisement, access and potentially cause to be downloaded onto a user computer, perhaps transparently to a user, onto the user's computer, an insecure or malicious resource. This could include introduction of a virus, worm, Trojan horse, malware, etc. Such an insecure resource may include any resource outside the control or access of an entity associated with facilitating the advertising process or serving of the advertisement, or an entity associated with operation or facilitation of an associated advertising exchange.
  • In some embodiments, an advertisement is checked to ensure, for instance, that it will not cause access to, or downloading of, such a potentially dangerous resource. As a further example, the advertisement may be checked to ensure that it will not read, execute, delete, modify, add anything, etc. to a user computer, or do so in an appropriate way. This can involve checking code of or otherwise associated with the advertisement.
  • In various embodiments, the security coding can take many different forms. In some embodiments, the security coding can act as an authentication coding or form of digital watermark, signature, certification, or other form of security, authenticity or non-alteration check. In other embodiments, the security coding can alternatively or additionally provide a message, perhaps after being decoded. The message can be something simple, such as an indication of when the advertisement passed a security check, or particulars in that regard, or could be something more complex.
  • In some embodiments, the security coding can take a which is difficult or impossible to detect, or may be invisible, from a third party or user perspective. For instance, in some embodiments, a bit or set of bits associated with one or more pixels of a graphical element of an advertisement may be modified. This may fuzz, or barely visibly or invisibly alter the code associated with, or the appearance of, the associated graphic. Even if not visibly detectable, however, the alteration may be detectable upon checking the code associated with the advertisement. In some embodiments, a series or set of such alterations may be used as a form of checksum. Such alterations may be detectable upon assessment of the advertisement or associated code, and may indicate that the advertisement has been altered and may present an increased security threat.
  • FIG. 1 is a distributed computer system 100 according to one embodiment of the invention. The system 100 includes user computers 104, advertiser computers 106 and server computers 108, all coupled or coupleable to the Internet 102. Although the Internet 102 is depicted, the invention contemplates other embodiments in which the Internet is not included, as well as embodiments in which other networks are included in addition to the Internet, including one more wireless networks, WANs, LANs, telephone, cell phone, or other data networks, etc. The invention further contemplates embodiments in which user computers or other computers may be or include wireless, portable, or handheld devices such as cell phones, PDAs, etc.
  • Each of the one or more computers 104, 106, 108 may be distributed, and can include various hardware, software, applications, algorithms, programs and tools. Depicted computers may also include a hard drive, monitor, keyboard, pointing or selecting device, etc. The computers may operate using an operating system such as Windows by Microsoft, etc. Each computer may include a central processing unit (CPU), data storage device, and various amounts of memory including RAM and ROM. Depicted computers may also include various programming, applications, algorithms and software to enable searching, search results, and advertising, such as graphical or banner advertising as well as keyword searching and advertising in a sponsored search context. Many types of advertisements are contemplated, including textual advertisements, rich advertisements, video advertisements, etc.
  • As depicted, each of the server computers 108 includes one or more CPUs 110 and a data storage device 112. The data storage device 112 includes a database 116 and an Advertisement Security Program 114.
  • The Program 114 is intended to broadly include all programming, applications, algorithms, software and other tools necessary to implement or facilitate methods and systems according to embodiments of the invention. The elements of the Program 114 may exist on a single server computer or be distributed among multiple computers or devices.
  • FIG. 2 is a flow diagram illustrating a method 200 according to one embodiment of the invention. At step 202, using one or more computers, an advertisement is tested at a non-active time to obtain a first set of information identifying a set of behavioral characteristics associated with the advertisement, a non-active time being a time at which the advertisement is not available for serving to users.
  • At step 204, using one or more computers, the first set of information is stored.
  • At step 206, using one or more computers, based at least in part on the first set of information, it is determined that the advertisement does not appear to present a potential or actual security threat.
  • At step 208, using one or more computers, a first modification of code associated with the advertisement is performed.
  • At step 210, using one or more computers, during an active time, the advertisement is assessed to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification, an active time being a time at which the advertisement is available for serving to users.
  • At step 212, using one or more computers, if it is determined that the further modification has occurred, then at least one action is conducted reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
  • FIG. 3 is a flow diagram illustrating a method 300 according to one embodiment of the invention.
  • At step 302, using one or more computers, it is determined that an advertisement appears to present a potential or actual security threat.
  • At step 304, using one or more computers, the apparent potential or actual security threat is neutralized, such as by modifying code associated with the advertisement.
  • Step 306 to 316 are similar to steps 202 to 212 as depicted in FIG. 2, respectively.
  • The embodiment depicted in FIG. 3 can, for example, reflect a situation in which an advertisement is found, perhaps during an offline security check or editorial process, to present a potential or actual security threat. In such an instance, the threatening aspect or aspects of the advertisement may be neutralized prior to a determination that the advertisement does not present a potential or actual security threat, as in step 310. It is to be noted that, in some embodiments, steps 306 may be different or omitted.
  • FIG. 4 is a block diagram 400 illustrating one embodiment of the invention. As depicted, an advertiser 402, or a proxy of an advertiser, submits an advertisement 404, which makes its way into an editorial process, as depicted by the advertisement 406, before going active or live (being made available for serving to users).
  • At block 408, as part of the editorial process, it is determined that the advertisement does not present a potential or actual security threat, and information reflecting this determination may be stored in a database 415. In so embodiments, if an advertisement is determined to present a threat, the threat is neutralize before it is determined that the advertisement does not present a threat. As just one example, if an advertisement is determined to present a threat because it is coded to access an insecure resource, code associated with the advertisement may be modified to remove its ability to do this.
  • Also at block 408, once it is determined that the advertisement is not a threat, security coding is introduced into code associated with the advertisement. Later, if the security coding is breached, which may include any alteration of the code associated with the advertisement, this can indicate that the advertisement has been modified following insertion of the coding, which may indicate that the advertisement is more likely to be malicious or present a threat than if the security coding had not been breached.
  • In some embodiments, at different times after the advertisement goes active or live (made available for serving to users), the advertisement may be sampled and assessed. As depicted, at block 412, the advertisement 416 is sampled from an online advertising exchange 414. The advertisement 416 is assessed, also at block 412, and its security coding is checked.
  • At block 418, based at least in part on the assessment, it is determined whether the security coding has been breached, and information relating to this determination is stored in the database 415. If the security coding is determined to have been breached, at block 422, the advertisement is managed based on presenting a higher security risk or risk of being malicious, whereas, if the security coding is determined not to have been breached, then at step 420, the advertisement is managed based on presenting a lower security risk or risk of being malicious. For example, management based on higher risk can include causing the ad to be taken offline or quarantined, or checking its behavioral characteristics to determine whether it presents a security threat in its current form. As indicated by arrow 424, in some embodiments, once determined to present a lower or no risk, an advertisement may be allowed to enter, re-enter, or continue to remain on the exchange 414 in active mode, and periodic or otherwise repeated assessment or checks may continue to be made.
  • FIG. 5 is a flow diagram of a method 500 according to one embodiment of the invention. At step 502, a set of behavioral characteristics of an advertisement are determined.
  • At step 504, it is queried whether the advertisement appears to present a potential or actual security threat.
  • If so, at step 506, the advertisement is modified so as to remove or neutralize the threat, and then the method 500 returns to step 504.
  • If not, at step 508, security coding is introduced into advertisement coding.
  • Broken line 509 represents the advertisement going live.
  • At step 510, at a time during which the advertisement is live, it is determined whether the security coding has been breached. This can include sampling and assessing the advertisement and its code.
  • If so, at step 512, the advertisement is managed based on presenting a higher risk.
  • If not, at step 514, the advertisement is managed based on presenting a lower risk.
  • It is to be understood that the method 500 depicted in FIG. 5 is simplified and merely for illustrative purposes.
  • The foregoing description is intended merely to be illustrative, and other embodiments are contemplated within the spirit of the invention.

Claims (20)

1. A method comprising:
using one or more computers, testing an advertisement at a non-active time to obtain a first set of information identifying a set of behavioral characteristics associated with the advertisement, a non-active time being a time at which the advertisement is not available for serving to users;
using one or more computers, storing the first set of information;
using one or more computers, based at least in part on the first set of information, determining that the advertisement does not appear to present a potential or actual security threat;
using one or more computers, performing a first modification of code associated with the advertisement;
using one or more computers, during an active time, assessing the advertisement to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification, an active time being a time at which the advertisement is available for serving to users; and
using one or more computers, if it is determined that the further modification has occurred, then conducting at least one action reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
2. The method of claim 1, comprising determining if a further modification has occurred by determining whether code modified by the first modification has been altered after the first modification.
3. The method of claim 1, comprising, prior to determining that the advertisement does not appear to present a potential or actual security threat:
determining that the advertisement appears to present a potential or actual security threat; and
modifying code associated with the advertisement to remove the potential or actual security threat.
4. The method of claim 1, wherein performing a first modification of code comprises fuzzing code associated with the advertisement, and wherein detected alteration of fuzzed code indicates a further modification of code associated with the advertisement.
5. The method of claim 1, wherein performing a first modification of code comprises modifying code associated with at least one pixel.
6. The method of claim 1, wherein performing a first modification of code comprises modifying code such that the advertisement as presented is not visibly modified.
7. The method of claim 1, wherein performing a first modification of code comprises introducing a checksum or digital watermark.
8. The method of claim 1, wherein performing a first modification of code comprises introducing a digital watermark.
9. The method of claim 1, wherein performing a first modification of code comprises introducing a coded message.
10. The method of claim 1, wherein determining that a further modification has occurred comprises determining that a security coding, resulting from the first modification, has been breached.
11. The method of claim 1, wherein taking at least one action comprises at least temporarily removing the advertisement from being available for serving to users.
12. The method of claim 1, wherein taking least one action comprises testing behavioral characteristics associated with the advertisement to determine if a change in the behavioral characteristics has occurred since the first set of information was obtained.
13. The method of claim 1, comprising, during an active period, repeatedly or periodically over time, assessing the advertisement to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification and at an active time.
14. The method of claim 1, wherein presenting a potential or actual security threat comprises presenting a risk of being malicious.
15. The method of claim 1, wherein presenting a potential or actual security threat comprises presenting a risk of introducing a dangerous resource onto a user computer.
16. The method of claim 1, wherein presenting a potential or actual security threat comprises presenting a risk of deleting or modifying a resource or code stored on a user computer.
17. A system comprising:
one or more server computers connected to a network; and
one or more databases connected to the one or more server computers;
wherein the one or more server computers are for:
testing an advertisement at a non-active time to obtain a first set of information identifying a set of behavioral characteristics associated with the advertisement, a non-active time being a time at which the advertisement is not available for serving to users;
storing the first set of information in at least one of the one or more databases;
based at least in part on the first set of information, determining that the advertisement does not appear to present a potential or actual security threat;
performing a first modification of code associated with the advertisement;
during an active time, assessing the advertisement to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification, an active time being a time at which the advertisement is available for serving to users; and
if it is determined that the further modification has occurred, then conducting at least one action reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
18. The system of claim 17, comprising, if it is determined that the further modification has occurred, removing the advertisement from being available for serving to users for at least a period of time.
19. The system of claim 17, comprising, prior to determining that the advertisement does not appear to present a potential or actual security threat:
determining that the advertisement appears to present a potential or actual security threat; and
modifying code associated with the advertisement to remove the potential or actual security threat.
20. A computer readable medium or media containing instructions for executing a method, the method comprising:
using one or more computers, determining that an advertisement appears to present a potential or actual security threat;
using one or more computers, neutralizing the apparent potential or actual security threat;
using one or more computers, testing an advertisement at a non-active time to obtain a first set of information identifying a set of behavioral characteristics associated with the advertisement, a non-active time being a time at which the advertisement is not available for serving to users;
using one or more computers, storing the first set of information;
using one or more computers, based at least in part on the first set of information, determining that the advertisement does not appear to present a potential or actual security threat;
using one or more computers, performing a first modification of code associated with the advertisement;
using one or more computers, during an active time, assessing the advertisement to determine whether a further modification of code associated with the advertisement appears to have occurred following the first modification, an active time being a time at which the advertisement is available for serving to users; and
using one or more computers, if it is determined that the further modification has occurred, then conducting at least one action reflecting a determination that the advertisement is more likely to present a potential or actual security threat than if it had been determined that the further modification had not occurred.
US12/699,402 2010-02-03 2010-02-03 Security techniques for use in malicious advertisement management Abandoned US20110191853A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/699,402 US20110191853A1 (en) 2010-02-03 2010-02-03 Security techniques for use in malicious advertisement management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/699,402 US20110191853A1 (en) 2010-02-03 2010-02-03 Security techniques for use in malicious advertisement management

Publications (1)

Publication Number Publication Date
US20110191853A1 true US20110191853A1 (en) 2011-08-04

Family

ID=44342803

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/699,402 Abandoned US20110191853A1 (en) 2010-02-03 2010-02-03 Security techniques for use in malicious advertisement management

Country Status (1)

Country Link
US (1) US20110191853A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10419460B2 (en) * 2017-07-21 2019-09-17 Oath, Inc. Method and system for detecting abnormal online user activity
US10678923B1 (en) * 2019-07-10 2020-06-09 Five Media Marketing Limited Security management of advertisements at online advertising networks and online advertising exchanges

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050283836A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to detect externally-referenced malicious data for access and/or publication via a computer system
US20060101521A1 (en) * 2002-10-17 2006-05-11 Shlomo Rabinovitch System and method for secure usage right management of digital products
US20080052162A1 (en) * 2006-07-27 2008-02-28 Wood Charles B Calendar-Based Advertising
US20080243602A1 (en) * 2007-03-28 2008-10-02 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for providing iptv advertisements
US20090055651A1 (en) * 2007-08-24 2009-02-26 Bernd Girod Authenticated media communication system and approach
US20090094175A1 (en) * 2007-10-05 2009-04-09 Google Inc. Intrusive software management
US20090287653A1 (en) * 2008-05-13 2009-11-19 Bennett James D Internet search engine preventing virus exchange
US20090300675A1 (en) * 2008-06-02 2009-12-03 Roy Shkedi Targeted television advertisements associated with online users' preferred television programs or channels
US20090327084A1 (en) * 2008-02-14 2009-12-31 SiteScout Corporation Graphical certifications of online advertisements intended to impact click-through rates
US20110047618A1 (en) * 2006-10-18 2011-02-24 University Of Virginia Patent Foundation Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
US8037527B2 (en) * 2004-11-08 2011-10-11 Bt Web Solutions, Llc Method and apparatus for look-ahead security scanning

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101521A1 (en) * 2002-10-17 2006-05-11 Shlomo Rabinovitch System and method for secure usage right management of digital products
US20050283836A1 (en) * 2004-06-21 2005-12-22 Chris Lalonde Method and system to detect externally-referenced malicious data for access and/or publication via a computer system
US8037527B2 (en) * 2004-11-08 2011-10-11 Bt Web Solutions, Llc Method and apparatus for look-ahead security scanning
US20080052162A1 (en) * 2006-07-27 2008-02-28 Wood Charles B Calendar-Based Advertising
US20110047618A1 (en) * 2006-10-18 2011-02-24 University Of Virginia Patent Foundation Method, System, and Computer Program Product for Malware Detection, Analysis, and Response
US20080243602A1 (en) * 2007-03-28 2008-10-02 Telefonaktiebolaget Lm Ericsson (Publ) Systems and methods for providing iptv advertisements
US20090055651A1 (en) * 2007-08-24 2009-02-26 Bernd Girod Authenticated media communication system and approach
US20090094175A1 (en) * 2007-10-05 2009-04-09 Google Inc. Intrusive software management
US20090094697A1 (en) * 2007-10-05 2009-04-09 Google Inc. Intrusive software management
US20090327084A1 (en) * 2008-02-14 2009-12-31 SiteScout Corporation Graphical certifications of online advertisements intended to impact click-through rates
US20090287653A1 (en) * 2008-05-13 2009-11-19 Bennett James D Internet search engine preventing virus exchange
US20090300675A1 (en) * 2008-06-02 2009-12-03 Roy Shkedi Targeted television advertisements associated with online users' preferred television programs or channels

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10419460B2 (en) * 2017-07-21 2019-09-17 Oath, Inc. Method and system for detecting abnormal online user activity
US11212301B2 (en) 2017-07-21 2021-12-28 Verizon Media Inc. Method and system for detecting abnormal online user activity
US10678923B1 (en) * 2019-07-10 2020-06-09 Five Media Marketing Limited Security management of advertisements at online advertising networks and online advertising exchanges
US11762997B2 (en) 2019-07-10 2023-09-19 Five Media Marketing Limited Security management of advertisements at online advertising networks and online advertising exchanges

Similar Documents

Publication Publication Date Title
US11570211B1 (en) Detection of phishing attacks using similarity analysis
US9032085B1 (en) Identifying use of software applications
AU2015380394B2 (en) Methods and systems for identifying potential enterprise software threats based on visual and non-visual data
US9734332B2 (en) Behavior profiling for malware detection
US8448245B2 (en) Automated identification of phishing, phony and malicious web sites
US8856937B1 (en) Methods and systems for identifying fraudulent websites
US8533328B2 (en) Method and system of determining vulnerability of web application
US8607338B2 (en) Malicious advertisement management
US8256000B1 (en) Method and system for identifying icons
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
CN112703496B (en) Content policy based notification to application users regarding malicious browser plug-ins
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
CN107463844B (en) WEB Trojan horse detection method and system
WO2015164338A1 (en) System and method for controlling audience data and tracking
Siby et al. {WebGraph}: Capturing advertising and tracking information flows for robust blocking
Ramesh et al. Identification of phishing webpages and its target domains by analyzing the feign relationship
CN106250761B (en) Equipment, device and method for identifying web automation tool
US9009819B1 (en) Method and system for detecting rogue security software that displays frequent misleading warnings
Kanti et al. Implementing a Web browser with Web defacement detection techniques
US20120278885A1 (en) Maintaining data integrity
US11580248B2 (en) Data loss prevention
JP6169497B2 (en) Connection destination information determination device, connection destination information determination method, and program
US20110191853A1 (en) Security techniques for use in malicious advertisement management
US20130339158A1 (en) Determining legitimate and malicious advertisements using advertising delivery sequences
US20120304291A1 (en) Rotation of web site content to prevent e-mail spam/phishing attacks

Legal Events

Date Code Title Description
AS Assignment

Owner name: YAHOO| INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ATCHA, FAIZAL;REEL/FRAME:023893/0120

Effective date: 20100129

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: YAHOO HOLDINGS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:YAHOO| INC.;REEL/FRAME:042963/0211

Effective date: 20170613

AS Assignment

Owner name: OATH INC., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:YAHOO HOLDINGS, INC.;REEL/FRAME:045240/0310

Effective date: 20171231